← Blog

KI-Recht & Compliance

EU AI Act: The Guide for Companies

The EU AI Act is here and is coming into force gradually. Risk classes, deadlines, fines, the roles of providers and operators, and the interaction with the GDPR — explained clearly.

Felix Stürmer· 12 March 2026· 3 min read
EU AI Act: The Guide for Companies

With the EU AI Act, there is for the first time a comprehensive regulatory framework for Artificial Intelligence. The Regulation (EU) 2024/1689 entered into force on August 1, 2024, and applies in stages. It affects not only AI manufacturers, but every company that uses AI.

The Timeline: What applies from when

The obligations apply in stages (Art. 113):

  • since February 2, 2025: the prohibitions (Art. 5) and the AI literacy obligation (Art. 4);

  • since August 2, 2025: the obligations for general-purpose AI models (GPAI), governance, and the fine regime;

  • from August 2, 2026: the remainder of the regulation, in particular the transparency obligations (Art. 50);

  • the high-risk obligations follow at a later date.

ℹ️

Note: A political agreement (the "Digital Omnibus", May 2026) provides for some high-risk deadlines to be postponed. However, until publication in the EU Official Journal, the original timeline remains decisive — especially for the transparency obligations on August 2, 2026.

The Four Risk Classes of the AI Act
Minimale.g. spam filtersLimitedtransparency obligationHighstrict requirementsUnacceptableprohibited
The higher the risk, the stricter the obligations.

The Four Risk Classes

The core of the law is the classification by risk:

  • Unacceptable risk (prohibited, Art. 5): including social scoring, manipulative systems, emotion recognition in the workplace, biometric remote identification in public spaces.

  • High risk (Annex III): including personnel selection/HR, creditworthiness, critical infrastructure, education — with strict requirements.

  • Limited risk (Art. 50): chatbots, deepfakes, synthetic content — labeling and disclosure obligation.

  • Minimal risk: spam filters, simple recommendation systems — no requirements.

The EU Commission emphasizes that the „vast majority of AI systems currently used in the EU“ falls into the minimal category — so there is no need for panic.

The Fines

Unlike how it is often simplified, the €35 million / 7% only applies to the most severe category:

  • up to €35 million or 7% of the total worldwide annual turnover — only in case of violation of the prohibitions (Art. 5);

  • up to €15 million or 3% — for violations by providers and operators;

  • up to €7.5 million or 1% — for providing false information to authorities.

For SMEs and start-ups, the lower of the two values applies in each case.

35Million €
maximum fine — only for prohibited practices (Art. 5)

Provider or Operator? The most important difference for medium-sized businesses

Duties are tied to the role. Anyone who only uses a purchased AI system...uses, is usuallyOperator— with significantly lighter duties than that of theProviderAttention: Anyone who significantly modifies a system or offers it under their own name may be "upgraded" to the status of a provider.

The underestimated duty: AI competence (Art. 4)

Since February 2025, [they/you/we] have already had toallCompanies that use AI must ensure their employees have sufficient AI competence—regardless of the risk category. This is the simplest and most urgent lever: training and clear usage rules.

The AI Act and GDPR interlock

Both sets of regulations apply in parallel. Anyone using AI with personal data requiresadditionala GDPR legal basis and, if applicable, a data protection impact assessment. Our [document/guide/etc.] shows how you can cover the data protection side of things.Guide to GDPR-compliant AIas well as theSelection criteria for GDPR-compliant AI.

Conclusion

The AI Act sounds like a lot of bureaucracy, but for most companies, it is manageable—provided that they get an overview early on, clarify their own role, and rely on providers that offer transparency and data protection by default.

Sources

GDPR-compliant AI from a real German data center

Kasimir runs on its own infrastructure in Germany — no detour via US providers, no CLOUD Act reach.